Donate
‹ Back
Domain Name System Security Extensions (DNSSEC) 3 April 2017

Introduction to PKIs & CAs

In order to be trusted, the Internet must provide channels for secure and private communication between entities, which can be clearly authenticated in a mutually understood manner.

There are several commonly used mechanisms for supporting secure and private communication, transaction protection and identity assertion and management. These include the so-called Internet PKI commonly used for secure web browsing but which can be used for other applications, PKI for e-mail, RPKI used by Regional Internet Registries to assert the holders of IP resources, and DNSSEC that can be used to validate DNS queries. DANE is a new protocol that uses DNSSEC to allow owners to assert their own digital certificates, and therefore potentially incorporate the functionality of the Internet PKI into the global DNS.

This Introduction to PKIs & CAs provides an overview of how these mechanisms work and how they are deployed.

The topics include:

  • What is a Public Key Infrastructure?
  • How does Public Key cryptography work?
  • Why should I care about PKIs?
  • What is a CA?
  • How do I establish a publicly trusted CA?
  • What do I need to worry about?
  • What is RPKI?
  • What is DNSSEC?
‹ Back

Related articles

Cryptography: CEO Questions for CTOs
Encryption16 March 2018

Cryptography: CEO Questions for CTOs

Cryptography is a complex topic – technically, operationally, and legally. It requires management and operational focus, with all the attention to planning and resources that implies - even when everything is working smoothly - so that damage and disruption are minimal if things go wrong.

RFC 6698 - The DNS-Based Authentication of Named Entities
Domain Name System Security Extensions (DNSSEC)4 October 2012

RFC 6698 – The DNS-Based Authentication of Named Entities

For anyone interested in how to better secure the Internet, the DANE protocol ("DNS-Based Authentication of Named Entities") provides a...

The DANE Protocol - DNS-Based Authentication of Named Entities
Domain Name System Security Extensions (DNSSEC)4 October 2012

The DANE Protocol – DNS-Based Authentication of Named Entities

If you connect to a website using a "secure" connection over TLS/SSL, how do you know you are using the correct...

Join the conversation with Internet Society members around the world